Apache Druid 0.20.2 introduces new configurations to address CVE-2021-26919: Authenticated users can execute arbitrary code from malicious MySQL database systems. Users are recommended to enable new configurations in the below to mitigate vulnerable JDBC connection properties. These configurations will be applied to all JDBC connections for ingestion and lookups, but not for metadata store. See security configurations for more details.
druid.access.jdbc.enforceAllowedProperties: When true, Druid appliesdruid.access.jdbc.allowedPropertiesto JDBC connections starting withjdbc:postgresql:orjdbc:mysql:. When false, Druid allows any kind of JDBC connections without JDBC property validation. This config is set to false by default to not break rolling upgrade. This config is deprecated now and can be removed in a future release. The allow list will be always enforced in that case.druid.access.jdbc.allowedProperties: Defines a list of allowed JDBC properties. Druid always enforces the list for all JDBC connections starting withjdbc:postgresql:orjdbc:mysql:ifdruid.access.jdbc.enforceAllowedPropertiesis set to true. This option is tested against MySQL connector 5.1.48 and PostgreSQL connector 42.2.14. Other connector versions might not work.druid.access.jdbc.allowUnknownJdbcUrlFormat: When false, Druid only accepts JDBC connections starting withjdbc:postgresql:orjdbc:mysql:. When true, Druid allows JDBC connections to any kind of database, but only enforcesdruid.access.jdbc.allowedPropertiesfor PostgreSQL and MySQL.